> ## Documentation Index
> Fetch the complete documentation index at: https://docs.flashcat.cloud/llms.txt
> Use this file to discover all available pages before exploring further.

# Single Sign-On

> Sign in once and access multiple connected applications through single sign-on, improving work efficiency and enhancing security

Flashduty supports Single Sign-On (SSO) via SAML2.0, OIDC, CAS, and LDAP (private deployment only) protocols, helping you easily integrate with various applications and platforms. Users only need to sign in once to access multiple connected applications and services without repeated authentication.

## Configuring SAML Protocol

***

**Configuration path**: Platform Management → Single Sign-On → Enable → Settings → Select SAML2.0 protocol type

| Field                           | Description                                                                                                                                                                          |
| ------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| Protocol Type                   | Select SAML2.0                                                                                                                                                                       |
| Metadata Document               | XML document obtained from the identity provider                                                                                                                                     |
| Field Mapping                   | Flashduty extracts user email, username, and phone information from the identity provider through mapped fields                                                                      |
| Create Account on Sign In       | Enabled by default; when disabled, members must be invited before they can sign in                                                                                                   |
| SSO-only login (`force_sso`)    | Enabled by default. When on, every member of this account can sign in only via SSO; password and verification-code sign-in are rejected. See [SSO-only login](#sso-only-login) below |
| Flashduty Service Provider Info | **Service Provider Metadata** and **Assertion Consumer Service URL** (assertion address for identity provider to call for single sign-on)                                            |

## Configuring OIDC Protocol

***

**Configuration path**: Platform Management → Single Sign-On → Enable → Settings → Select OIDC protocol type

| Field                           | Description                                                                                                                                                                                          |
| ------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Protocol Type                   | Select OIDC protocol                                                                                                                                                                                 |
| Issuer                          | Obtained from identity provider, case-sensitive URL that cannot contain query parameters                                                                                                             |
| Client ID                       | Client ID, obtained from identity provider                                                                                                                                                           |
| Client Secret                   | Client secret, obtained from identity provider                                                                                                                                                       |
| Field Mapping                   | Flashduty extracts user email, username, and phone information from the identity provider through mapped fields                                                                                      |
| Create Account on Sign In       | Enabled by default; when disabled, members must be invited before they can sign in                                                                                                                   |
| SSO-only login (`force_sso`)    | Enabled by default. When on, every member of this account can sign in only via SSO; password and verification-code sign-in are rejected. See [SSO-only login](#sso-only-login) below                 |
| Scopes                          | Specifies the information and functionality permissions the request can access, with support for customization. Defaults to `openid`, `profile`, `email`, `phone`; you can add custom scopes as tags |
| Flashduty Service Provider Info | **Redirect URL**: Identity provider callback address<br />**Supported Signing Algorithms**: RS256, RS384, RS512, ES256, ES384, ES512, PS256, PS384, PS512 (HS256 not supported)                      |

<Warning>
  Scopes is a required field. The default values `openid`, `profile`, `email`, `phone` are the base permissions needed for OIDC to function properly. Removing these defaults may cause single sign-on to fail or prevent correct retrieval of user information. If you need to add custom scopes, add them while keeping the defaults intact.
</Warning>

## Configuring CAS Protocol

***

**Configuration path**: Platform Management → Single Sign-On → Enable → Settings → Select CAS protocol type

| Field                           | Description                                                                                                                                                                          |
| ------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| Protocol Type                   | Select CAS protocol                                                                                                                                                                  |
| CAS Address                     | CAS service address obtained from identity provider, e.g., `https://xqlsd3irx2gm-demo.authing.cn/cas-idp/669e050856d5b07b4399b242`                                                   |
| CAS Login Path                  | CAS login path, e.g., `/login`                                                                                                                                                       |
| Skip TLS Check                  | Optional; when enabled, skips TLS certificate verification, suitable for CAS services using self-signed certificates                                                                 |
| Field Mapping                   | Flashduty extracts user email, username, and phone information from the identity provider through mapped fields                                                                      |
| Create Account on Sign In       | Enabled by default; when disabled, members must be invited before they can sign in                                                                                                   |
| SSO-only login (`force_sso`)    | Enabled by default. When on, every member of this account can sign in only via SSO; password and verification-code sign-in are rejected. See [SSO-only login](#sso-only-login) below |
| Flashduty Service Provider Info | **Redirect URL**: Identity provider callback address                                                                                                                                 |

## Configuring LDAP Protocol

***

<Note>
  LDAP single sign-on is only supported in the **private deployment version**.
</Note>

**Configuration path**: Platform Management → Single Sign-On → Enable → Settings → Select LDAP protocol type

| Field                        | Description                                                                                                                                                                                                                                                             |
| ---------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Protocol Type                | Select LDAP protocol                                                                                                                                                                                                                                                    |
| LDAP URL                     | LDAP service address, e.g., `ldap://10.10.10.10:389`                                                                                                                                                                                                                    |
| BIND DN                      | Username for connecting to LDAP, e.g., `cn=admin,dc=flashduty,dc=com`                                                                                                                                                                                                   |
| BIND DN Password             | Password for connecting to LDAP, stored encrypted in the database                                                                                                                                                                                                       |
| Encryption                   | Supports **TLS** and **StartTLS** encryption methods (mutually exclusive, only one can be enabled). After enabling either method, you can optionally **skip SSL/TLS certificate verification**; if not skipped, you can optionally provide the SSL/TLS certificate path |
| User DN                      | Defines where to start searching for users, e.g., `ou=people,dc=flashduty,dc=com`                                                                                                                                                                                       |
| Auth Filter                  | Custom filter expression for retrieving user DN information, basic form: `(&(mail=%s))`. Note: Opening and closing parentheses are required                                                                                                                             |
| Field Mapping                | Flashduty extracts user email, username, phone, and Group information from the identity provider through mapped fields. Email is a required mapping field. The Group field defaults to `memberOf` and is used for role and team synchronization                         |
| Create Account on Sign In    | Enabled by default; when disabled, members must be invited before they can sign in                                                                                                                                                                                      |
| SSO-only login (`force_sso`) | Enabled by default. When on, every member of this account can sign in only via SSO; password and verification-code sign-in are rejected. See [SSO-only login](#sso-only-login) below                                                                                    |

<Tip>
  Field mapping must be consistent with the identity provider configuration, otherwise it will cause errors. For specific configuration, refer to [OpenLDAP Integration Guide](/en/on-call/integration/sso/openldap).
</Tip>

### LDAP Connection Test

After configuring the LDAP connection information, you can click the **Connection Test** button at the bottom of the settings drawer to verify that Flashduty can successfully connect to your LDAP server. The system will attempt to establish a connection using the currently entered LDAP URL, BIND DN, and password, and return a success or failure result.

<Tip>
  We recommend running the connection test before saving the configuration to ensure connection parameters are correct, avoiding login failures due to misconfiguration.
</Tip>

### LDAP Role and Team Synchronization

When using the LDAP protocol, you can automatically synchronize Flashduty roles and teams based on the user's LDAP Group membership.

**Configuration path**: LDAP Settings page → Sync Configuration

<Steps>
  <Step title="Enable Synchronization">
    In the sync configuration area, enable the **Sync Roles** and/or **Sync Teams** toggles.
  </Step>

  <Step title="Add Mapping Rules">
    Click **Add Mapping Rule** and configure the following for each rule:

    | Field            | Description                                                                                     |
    | ---------------- | ----------------------------------------------------------------------------------------------- |
    | **Group DN**     | The full Distinguished Name of the Group in LDAP, e.g., `cn=devops,ou=groups,dc=example,dc=com` |
    | **Mapped Roles** | Available when Sync Roles is enabled; select the Flashduty roles this Group maps to             |
    | **Mapped Teams** | Available when Sync Teams is enabled; select the Flashduty teams this Group maps to             |
  </Step>

  <Step title="Configure Default Roles">
    When Sync Roles is enabled, you can configure **Default Roles**. When a user's LDAP Groups do not match any mapping rule, the system will assign these default roles.
  </Step>
</Steps>

<Note>
  * You can add multiple mapping rules, each corresponding to one LDAP Group
  * When a user signs in, the system automatically matches and synchronizes the corresponding roles and teams based on their LDAP Group membership
  * The Group DN in mapping rules must be the full path of the Group in LDAP
</Note>

## SSO-only login

***

The `force_sso` option restricts every member of the account to signing in through SSO, fully delegating authentication to the identity provider.

**Configuration path**: Platform Management → Single Sign-On → Enable → Settings → **Members can only sign in via SSO**

| Item          | Behavior                                                                                                                 |
| ------------- | ------------------------------------------------------------------------------------------------------------------------ |
| Field name    | `force_sso`                                                                                                              |
| Default       | **On** — the toggle in the settings drawer is pre-filled to enabled the first time SSO is configured                     |
| When enabled  | Every member of the account can sign in only via SSO; password and verification-code sign-in are rejected by the backend |
| When disabled | Members may sign in via SSO, password, or verification code                                                              |
| Exemptions    | **None.** The account owner and super-admins are also subject to this restriction — there is no bypass branch            |

When this option is on and a member attempts password or verification-code sign-in, the login endpoint returns:

```text theme={null}
This account requires SSO login. Password/code login is disabled.
```

The same restriction applies when switching accounts inside a password session: if the target account has `force_sso` enabled, the switch is rejected with `The target account requires SSO login. Switching via password session is not allowed.`

<Warning>
  **Operational risk**: Once `force_sso` is on, if the identity provider (IdP) is not reachable or misconfigured, every member of the account — including the account owner — will be locked out. Before turning this toggle on:

  1. Sign in end-to-end via SSO with at least one member account to verify the IdP flow works.
  2. Make sure the account owner has a working SSO sign-in path, so you cannot accidentally lock yourself out.
  3. If the IdP may be temporarily unavailable, keep this toggle off and re-enable it after the IdP is verified.
</Warning>

### Comparison with "Prevent editing external members"

`force_sso` controls **how members sign in** — whether password and verification-code sign-in are allowed. `sso_user_non_editable` ([Prevent editing external members](#external-member-management)) controls **member editability** — whether SSO-synchronized external members can have their profile and role modified in the console. The two settings act on different layers and can be toggled independently.

## External member management

***

When you enable single sign-on, members automatically created through their first SSO login are marked as **external members**. You can enable the **Prevent editing external members** option in SSO settings (disabled by default). When enabled, these external members become read-only in Flashduty — you cannot modify their roles or delete them in Flashduty. All member management must be done through the identity provider.

This feature is ideal for organizations that need to centrally manage user permissions in the identity provider, ensuring member information in Flashduty always stays in sync.

<Note>
  * This option only affects external members created via SSO; manually invited members are not affected
  * If the SSO configuration is deleted, existing external members remain read-only by default
</Note>

## Login Domain Management

***

The login domain is an important identifier for your account, used to locate the correct SSO configuration during single sign-on. Each account's login domain is globally unique.

After configuring the login domain, members can initiate single sign-on directly through the `{domain}.sso.flashcat.cloud` address without manually selecting an identity provider.

You can modify the account domain on the **Platform Management → Basic Information** page. The domain must be 5–40 characters long and can only contain letters, numbers, or `-`, and cannot start or end with `-`.

<Warning>
  After changing the domain, it will apply to the following scenarios:

  * **SSO single sign-on configuration**: All configured SSO login domains will change accordingly. Members will need to use the new domain to initiate single sign-on
  * **Email integration push addresses**: The email integration receiving address format is `prefix@{domain}.{email-suffix}`. The address changes when the domain changes, so update related configurations promptly

  Before modifying, ensure you have checked your email integration configuration and notified your organization. The modification may require multi-factor authentication (MFA) verification. If you encounter any issues, contact technical support promptly.
</Warning>

<Note>
  * It is recommended to use your company's English name as the login domain for easy memorization
  * Once set, changing the login domain will immediately invalidate the old domain; members using the old domain will need to update their login address
</Note>

## Best Practices

***

<CardGroup cols={3}>
  <Card title="Authing Integration" icon="shield-check" href="/en/on-call/integration/sso/authing">
    Configure Flashduty SSO single sign-on through Authing
  </Card>

  <Card title="Keycloak Integration" icon="key" href="/en/on-call/integration/sso/keycloak">
    Configure Flashduty SSO single sign-on through Keycloak
  </Card>

  <Card title="OpenLDAP Integration" icon="server" href="/en/on-call/integration/sso/openldap">
    Configure Flashduty SSO single sign-on through OpenLDAP
  </Card>
</CardGroup>
